Вы находитесь на странице: 1из 302
SystemManagement Services (SMS) 1.6 Administrator Guide Sun Microsystems, Inc. www.sun.com Part No. 819-4660-10 May 2006,

SystemManagement Services (SMS) 1.6 Administrator Guide

Sun Microsystems, Inc. www.sun.com

Part No. 819-4660-10 May 2006, Revision A

for Sun Fire High-End Systems

Submit comments about this document at: http://www.sun.com/hwdocs/feedback

Copyright 2006 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A. All rights reserved.

Sun Microsystems, Inc. has intellectual property rights relating to technology that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.sun.com/patents and one or more additional patents or pending patent applications in the U.S. and in other countries.

This document and the product to which it pertains are distributed under licenses restricting their use, copying, distribution, and decompilation. No part of the product or of this document may be reproduced in any form by any means without prior written authorization of Sun and its licensors, if any.

Third-party software, including font technology, is copyrighted and licensed from Sun suppliers.

Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIX is a registered trademark in the U.S. and in other countries, exclusively licensed through X/Open Company, Ltd.

Sun, Sun Microsystems, the Sun logo, Java, AnswerBook2, docs.sun.com, OpenBoot , Sun BluePrints, Sun Fire, Sunsolve, and Solaris are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and in other countries.

All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and in other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc.

The OPEN LOOK and Sun™ Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sun acknowledges the pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the computer industry. Sun holds a non-exclusive license from Xerox to the Xerox Graphical User Interface, which license also covers Sun’s licensees who implement OPEN LOOK GUIs and otherwise comply with Sun’s written license agreements.

U.S. Government Rights—Commercial use. Government users are subject to the Sun Microsystems, Inc. standard license agreement and applicable provisions of the FAR and its supplements.

DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.

Copyright 2006 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, Californie 95054, États-Unis. Tous droits réservés.

Sun Microsystems, Inc. possède les droits de propriété intellectuels relatifs à la technologie décrite dans ce document. En particulier, et sans limitation, ces droits de propriété intellectuels peuvent inclure un ou plusieurs des brevets américains listés sur le site http://www.sun.com/patents, un ou les plusieurs brevets supplémentaires ainsi que les demandes de brevet en attente aux les États-Unis et dans d’autres pays.

Ce document et le produit auquel il se rapporte sont protégés par un copyright et distribués sous licences, celles-ci en restreignent l’utilisation, la copie, la distribution, et la décompilation. Aucune partie de ce produit ou document ne peut être reproduite sous aucune forme, par quelque moyen que ce soit, sans l’autorisation préalable et écrite de Sun et de ses bailleurs de licence, s’il y en a.

Tout logiciel tiers, sa technologie relative aux polices de caractères, comprise, est protégé par un copyright et licencié par des fournisseurs de Sun.

Des parties de ce produit peuvent dériver des systèmes Berkeley BSD licenciés par l’Université de Californie. UNIX est une marque déposée aux États-Unis et dans d’autres pays, licenciée exclusivement par X/Open Company, Ltd.

Sun, Sun Microsystems, the Sun logo, Java, AnswerBook2, docs.sun.com, OpenBoot , Sun BluePrints, Sun Fire, Sunsolve, et Solaris sont des marques de fabrique ou des marques déposées de Sun Microsystems, Inc. aux États-Unis et dans d’autres pays.

Toutes les marques SPARC sont utilisées sous licence et sont des marques de fabrique ou des marques déposées de SPARC International, Inc. aux États-Unis et dans d’autres pays. Les produits portant les marques SPARC sont basés sur une architecture développée par Sun Microsystems, Inc.

L’interface utilisateur graphique OPEN LOOK et Sun™ a été développée par Sun Microsystems, Inc. pour ses utilisateurs et licenciés. Sun reconnaît les efforts de pionniers de Xerox dans la recherche et le développement du concept des interfaces utilisateur visuelles ou graphiques pour l’industrie informatique. Sun détient une license non exclusive de Xerox sur l’interface utilisateur graphique Xerox, cette licence couvrant également les licenciés de Sun implémentant les interfaces utilisateur graphiques OPEN LOOK et se conforment en outre aux licences écrites de Sun.

LA DOCUMENTATION EST FOURNIE "EN L’ÉTAT" ET TOUTES AUTRES CONDITIONS, DÉCLARATIONS ET GARANTIES EXPRESSES OU TACITES SONT FORMELLEMENT EXCLUES DANS LA LIMITE DE LA LOI APPLICABLE, Y COMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE À LA QUALITÉ MARCHANDE, À L’APTITUDE À UNE UTILISATION PARTICULIÈRE OU À L’ABSENCE DE CONTREFAÇON.

RELATIVE À LA QUALITÉ MARCHANDE, À L’APTITUDE À UNE UTILISATION PARTICULIÈRE OU À L’ABSENCE DE CONTREFAÇON.

Contents

Preface

xxi

1. Introduction to System Management Services

Sun Fire High-End Systems

Redundant SCs

SMS Features

3

2

1

1

Features Provided in Previous Releases of SMS

4

New Features Provided in SMS 1.6 Release

5

6

 

5

VCMON 5 System Architecture

 

SMS Administration Environment Network Connections for Administrators

7

SMS Operating System

7

To Begin Using the SC

8

 

SMS Console Window

11

To Display a Console Window Locally

11

Tilde Escape Sequences

13

Remote Console Session

Sun Management Center

14

14

2. SMS 1.6 Security

17

Domain Security Overview

System Controller Security Overview

18

Redundant System Controllers

SC Network Interfaces

19

19

18

Main SC Network Interfaces

Domain-to-SC Communication (scman0) Interface

SC-to-SC Communication (scman1) Interface

Spare SC Network Interfaces

Main and Spare Network Interface Sample Configurations

20

20

21

21

What Has Changed in SMS 1.6

24

Secure By Default (Fresh Installation)

Secure By Choice (Upgrade)

Installation Changes

Assumptions and Limitations

Obtaining Support

24

25

24

27

24

22

Initial or Fresh SMS Installation Using smsinstall Command (Secure by

Default)

Customizing the Solaris Security Toolkit

Optionally Securing Domains

27

27

27

SMS Upgrade Installation Using smsupgrade Command (Secure by Choice)

Optionally Securing Domains

Using Solaris Security Toolkit to Secure the System Controller

28

Solaris Security Toolkit Software

29

Customizing the Solaris Security Toolkit Driver

To Disable I1 Traffic (Domain Exclusion)

To Enable FTP or Telnet

31

31

30

29

28

To View the Contents of the Driver File

32

To Undo a Solaris Security Toolkit Run

32

3.

SMS Administrative Privileges

35

Administrative Privileges Overview Platform Administrator Group

35

36

Platform Operator Group Platform Service Group

Domain Administrator Group Domain Configuration Group

Superuser Privileges

All Privileges

38

38

43

43

40

42

4.

SMS Internals

49

Startup Flow

49

SMS Daemons

50

Capacity on Demand Daemon Domain Configuration Agent

Domain Status Monitoring Daemon

Domain X Server

Error and Fault Handling Daemon

Event Log Access Daemon Event Reporting Daemon

54

55

57

59

60

56

58

Environmental Status Monitoring Daemon

60

Failover Management Daemon

61

FRU Access Daemon

62

Hardware Access Daemon

63

Key Management Daemon

65

Management Network Daemon

68

Message Logging Daemon

69

OpenBoot PROM Support Daemon

70

Platform Configuration Database Daemon

71

Platform Configuration Domain Configuration

Platform Configuration Domain Configuration

72

73

System Board Configuration

SMS Startup Daemon Scripts 75

74

Spare Mode

77

Main Mode

77

74

Domain-Specific Process Startup

Monitoring and Restarts

SMS Shut Down

78

78

Task Management Daemon

Environment Variables

79

78

78

5.

SMS Domain Configuration

81

Domain Configuration Units

82

Domain Configuration Requirements

DCU Assignment

83

82

Static Versus Dynamic Domain Configuration Global Automatic Dynamic Reconfiguration

Configuration for Platform Administrators

Available Component List

85

85

83

84

To Set Up the Available Component List

85

Configuring Domains

87

To Name or Change Domain Names From the Command Line

To Add Boards to a Domain From the Command Line

To Delete Boards From a Domain From the Command Line

To Move Boards Between Domains From the Command Line

To Set Domain Defaults

To Obtain Board Status

87

88

90

91

92

93

To Obtain Domain Status

94

Virtual Time of Day

Setting the Date and Time

96

97

To Set the Date on the SC

To Set the Date for Domain eng2

To Display the Date on the SC

To Display the Date on Domain eng2

97

97

97

Configuring NTP

98

To Create the ntp.conf File

98

Virtual ID PROM

101

98

The flashupdate Command

101

Configuration for Domain Administrators

Configuring Domains

102

102

To Add Boards to a Domain From the Command Line

To Delete Boards From a Domain From the Command Line

To Move Boards Between Domains From the Command Line

102

To Set Domain Defaults

108

To Obtain Board Status

108

To Obtain Domain Status

109

To Obtain Device Status

110

Virtual Keyswitch

111

The setkeyswitch Command

111

To Set the Virtual Keyswitch On in Domain A

To Display the Virtual Keyswitch Setting in Domain A

114

Virtual NVRAM

114

114

104

106

Setting the OpenBoot PROM Variables

To Recover From a Repeated Domain Panic

To Set the OpenBoot PROM Security Mode Variable in Domain A

115

117

118

To See the OpenBoot PROM Variables

Degraded Configuration Preferences

The setbus Command

119

119

118

To Set All Buses on All Active Domains to Use Both CSBs

The showbus Command

120

To Show All Buses on All Active Domains

6. Automatic Diagnosis and Recovery

121

Automatic Diagnosis and Recovery Overview

121

Hardware Errors Associated With Domain Stops

120

122

Nonfatal Domain Hardware Errors

124

POST-Detected Hardware Failures

126

Enabling Email Event Notification

127

To Enable Email Event Notification

Configuring an Email Template

Configuring the Email Control File

129

132

129

Testing Email Event Notification

135

To Test Email Event Notification

What To Do If Test Email Fails

137

136

Obtaining Diagnosis and Recovery Information

138

Reviewing Diagnosis Events

138

Reviewing the Event Log

139

7. Capacity on Demand

141

COD Overview

141

COD Licensing Process

142

COD RTU License Allocation

142

Instant Access CPUs

Instant Access CPUs as Hot Spares

143

144

119

Resource Monitoring

144

Getting Started With COD

Managing COD RTU Licenses

144

145

To Obtain and Add a COD RTU License Key to the COD License

Database

145

To Delete a COD License Key From the COD License Database

To Review COD License Information

147

Activating COD Resources

148

146

 

To Enable Instant Access CPUs and Reserve Domain RTU Licenses

150

Monitoring COD Resources

152

 

COD System Boards

152

 

To Identify COD System Boards

152

 

COD Resource Usage

153

 
 

To View COD Usage By Resource

153

To View COD Usage by Domain

154

To View COD Usage by Resource and Domain

156

 
 

Deconfigured and Unlicensed COD CPUs

158

Other COD Information

158

8.

Domain Control

161

Booting Domains

161

 

Keyswitch Control

162

Power Control

162

 

To Power System Boards On and Off From the Command Line

162

To Recover From Power Failure

Domain-Requested Reboot

Automatic System Recovery (ASR)

Domain Reboot

Domain Abort or Reset

164

165

166

165

164

Hardware Control

167

Power-On Self-Test (POST)

Blacklist Editing

168

167

Platform and Domain Blacklisting

To Blacklist a Component

To Remove a Component From the Blacklist

ASR Blacklist

168

168

173

Power Control

Fan Control

173

174

Hot-Plug Operations Unplugging 175

174

Plugging

175

SC Reset and Reboot

176

To Reset the Main or Spare SC

HPU LEDs

176

176

9. Domain Services

179

170

Management Network Overview

179

I1 Network

180

I2 Network

182

External Network Monitoring

183

MAN Daemons and Drivers Management Network Services

MAN Daemons and Drivers Management Network Services

184

184

Domain Console

185

Message Logging

186

Dynamic Reconfiguration

Network Boot and Solaris Software Installation

SC Heartbeats

186

187

187

10.

Domain Status Functions

189

Software Status

189

Status Commands

190

showboards Command 190 showdevices Command 190

showenvironment Command 190 showobpparams Command 191 showpcimode Command 191

showplatform Command

showxirstate Command

191

194

Solaris Software Heartbeat

194

Hardware Status

194

Hardware Configuration

Environmental Status

195

194

To Display the Environment Status for Domain A

Hardware Error Status

196

SC Hardware and Software Status

196

11.

Domain Events

199

Message Logging

199

Log File Maintenance Log File Management

200

203

Domain Reboot Events

205

Domain Reboot Initiation

Domain Boot Failure

205

205

Domain Panic Events

206

Domain Panic

Domain Panic Hang

Repeated Domain Panic

206

207

208

195

Solaris Software Hang Events

Hardware Configuration Events

208

209

Hot-Plug Events

Hot-Unplug Events

POST-Initiated Configuration Events

209

209

Environmental Events

210

Over-Temperature Events

Power Failure Events

Out-of-Range Voltage Events

212

212

212

Under-Power Events Fan Failure Events Clock Failure Events Hardware Error Events Domain Stop Events CPU-Detected Events Record Stop Events

212

212

213

213

214

215

215

Other ASIC Failure Events

215

210

 

SC Failure Events

215

12.

SC Failover

217

Overview 218

 

Fault Monitoring

219

File Propagation

220

Failover Management Startup 221

221

Main SC

221

Spare SC

222

Failover CLI Commands

222

setfailover Command 222

showfailover Command 224

Command Synchronization

226

cmdsync CLIs 227

initcmdsync Command

227

savecmdsync Command

227

cancelcmdsync Command 227

runcmdsync Command 228

showcmdsync Command 228

Data Synchronization

228

setdatasync Command 228

showdatasync Command 229

Failure and Recovery

229

Failover on Main SC (Main-Controlled Failover)

231

Fault on Main SC (Spare Takes Over Main Role)

232

I2 Network Fault

Fault on Main SC (I2 Network Is Also Down)

Fault Recovery and Reboot

233

234

I2 Fault Recovery

Reboot and Recovery

Client Failover Recovery

234

234

236

 

Security 237

13.

SMS Utilities

239

SMS Backup Utility

239

SMS Restore Utility

240

SMS Version Utility

241

Version Switching

242

234

To Switch Between Two Adjacent, Co-resident Installations of SMS

242

SMS Configuration Utility

243

UNIX Groups

Access Control List (ACL)

Network Configuration

245

MAN Configuration

243

244

244

A. SMS man Pages

247

B. Error Messages

251

Installing SMSHelp

251

To Install the SUNWSMSjh Package

To Start SMS Help

252

Types of Errors Error Categories

256

256

Glossary

259

Index

273

251

Figures

FIGURE 3-1

Platform Administrator Privileges

37

FIGURE 3-2

Platform Operator Privileges

38

FIGURE 3-3

Platform Service Privileges

39

FIGURE 3-4

Domain Administrator Privileges

41

FIGURE 3-5

Domain Configurator Privileges

42

FIGURE 3-6

Superuser Privileges

43

FIGURE 4-1

Sun Fire High-End System Software Components

51

FIGURE 4-2

CODD Client-Server relationships

55

FIGURE 4-3

DCA Client-Server Relationships

56

FIGURE 4-4

DSMD Client-Server Relationships

57

FIGURE 4-5

DXS Client-Server Relationships

58

FIGURE 4-6

EFHD Client-Server Relationships

59

FIGURE 4-7

ELAD Client-Server Relationships

59

FIGURE 4-8

ERD Client-Server Relationships

60

FIGURE 4-9

ESMD Client-Server Relationships

61

FIGURE 4-10

FOMD Client-Server Relationships

62

FIGURE 4-11

FRAD Client-Server Relationships

63

FIGURE 4-12

HWAD Client-Server Relationships

65

FIGURE 4-13

KMD Client-Server Relationships

68

FIGURE 4-14

MAND Client-Server Relationships

69

FIGURE 4-15

MLD Client-Server Relationships

70

FIGURE 4-16

OSD Client-Server Relationships

71

FIGURE 4-17

PCD Client-Server Relationships

72

FIGURE 4-18

SSD Client-Server Relationships

75

FIGURE 4-19

TMD Client-Server Relationships

79

FIGURE 6-1

Automatic Diagnosis and Recovery Process for Hardware Errors Associated With a Stopped Domain 122

FIGURE 6-2

Automatic Diagnosis Process for Nonfatal Domain Hardware Errors

125

FIGURE 6-3

Example Email Template and Generated Email

132

 

FIGURE 9-1

Management Network Overview

180

FIGURE 9-2

I1 Network Overview of the Sun Fire E25K/15K

181

 

FIGURE 9-3

I2 Network Overview

182

FIGURE 9-4

External Network Overview

183

FIGURE 12-1

Failover Fault Categories

230

Tables

TABLE 1-1

Tilde Usage

13

TABLE 3-1

All Group Privileges

44

TABLE 4-1

Daemons and Processes

52

TABLE 4-2

Example Environment Variables

80

TABLE 6-1

Event Tags in the Email Template File

130

TABLE 6-2

Email Control File Parameters

134

TABLE 6-3

showlogs(1M) Command Options for Displaying Error and Fault Event Information 139

TABLE 7-1

COD License Information

147

TABLE 7-2

setupplatform Command Options for COD Resource Configuration

149

TABLE 7-3

showcodusage Resource Information

154

TABLE 7-4

showcodusage Domain Information

155

TABLE 7-5

Obtaining COD Component, Configuration, and Event Information

159

 

TABLE 8-1

Valid location Arguments for Sun Fire High-End Servers

170

172

 

TABLE 8-2

Valid location Arguments for Sun Fire High-End Servers

TABLE 10-1

Domain Status Types

192

TABLE 10-2

Domain Status Types

193

TABLE 11-1

SMS Log Type Information

201

TABLE 11-2

MLD Default Settings

204

TABLE 12-1

Options for Modifying Failover States

223

TABLE 12-2

States of the Failover Mechanism

225

 

TABLE 12-3

showfailover Failure Strings

225

TABLE 12-4

fomd Hardware and Software Fault Categories

230

TABLE 12-5

Failover Fault Categories

231

TABLE 13-1

Switching Between SMS Versions

241

TABLE B-1

Error Types

256

TABLE B-2

Error Categories

256

Code Samples

CODE EXAMPLE 6-1

Example of a Dstop and Auto-Diagnosis Event Message in the Platform Log File 123

CODE EXAMPLE 6-2

Example of a Nonfatal Domain Hardware Error Identified by Solaris and the Domain Event Message 126

CODE EXAMPLE 6-3

Example of a POST Auto-Diagnosis Event Message 127

CODE EXAMPLE 6-4

Example Event Email 128

CODE EXAMPLE 6-5 Default Sample Email Template 129

CODE EXAMPLE 6-6

Email Control File (event_email.cf) 133

CODE EXAMPLE 6-7

Sample Email Control File 135

Preface

The System Management Services (SMS) 1.6 Administrator Guide describes how to perform various administration and monitoring tasks associated with the SMS software.

and monitoring tasks associated with the SMS software. Before You Read This Book This manual is

Before You Read This Book

This manual is intended for the Sun Fire™ system administrator, who has a working knowledge of UNIX® systems, particularly those based on the Solaris™ Operating System (Solaris OS). If you do not have such knowledge, read the Solaris User and System Administrator documentation provided with your system, and consider UNIX system administration training.

All members of the next-generation Sun Fire server family can be configured as loosely coupled clusters. However, it is outside of the scope of this document to address system management for Sun Fire high-end system cluster configurations.

for Sun Fire high-end system cluster configurations. How This Book Is Organized This guide contains the

How This Book Is Organized

This guide contains the following chapters:

Chapter 1 introduces the System Management Services software and describes its command-line interface.

Chapter 2 introduces security on the domains and system controllers.

Chapter 3 introduces administrative privileges.

Chapter 4 describes SMS domain internals and explains their use.

Chapter 5 describes domain configuration, options, and procedures.

Chapter 6 describes the automatic diagnosis and domain recovery features.

Chapter 7 describes Capacity on Demand (COD).

Chapter 8 describes the control functions.

Chapter 9 describes network services available and explains their use.

Chapter 10 describes status monitoring.

Chapter 11 describes event monitoring.

Chapter 12 describes system controller (SC) failover.

Chapter 13 describes SMS utilities for creating and restoring backups, configuring networks and user groups, and upgrading SMS software.

Appendix A provides a list of SMS man pages.

Appendix B describes SMS error messages.

of SMS man pages. Appendix B describes SMS error messages. Using UNIX Commands This document might

Using UNIX Commands

This document might not contain information on basic UNIX commands and procedures such as shutting down the system, booting the system, and configuring devices. See the following for this information:

Software documentation that you received with your system

Solaris Operating System (OS) documentation, which is at:

http://docs.sun.com

Typographic Conventions Typeface or Meaning Examples Symbol AaBbCc123 The names of commands, files, and

Typographic Conventions

Typeface or

Meaning

Examples

Symbol

AaBbCc123

The names of commands, files, and directories; on-screen computer output

Edit your .login file.

Use ls -a to list all files.

% You have mail.

AaBbCc123

What you type, when contrasted with on-screen computer output

% su

Password:

AaBbCc123

Book titles, new words or terms, words to be emphasized. Replace command-line variables with real names or values.

Read Chapter 6 in the User’s Guide. These are called class options. To delete a file, type rm filename.

class options. To delete a file, type rm filename . Shell Prompts Shell Prompt C shell

Shell Prompts

Shell

Prompt

C

shell

sc_name:sms-user:>

or

 

domain_id:sms-user:>

C

shell superuser

sc_name:#

or

domain_id:#

Bourne shell and Korn shell

>

Bourne shell and Korn shell superuser

#

Related Documentation The SMS documents are available at: http://www.sun.com/products-n-

Related Documentation

The SMS documents are available at:

http://www.sun.com/products-n-

solutions/hardware/docs/Servers/High-

End_Servers/Sun_Fire_e25K-

e20K/SW_FW_Documentation/SMS/index.html

The other documents can be found by typing in the name of the document in Search at:

http://www.sun.com/documentation/

Application

Title

Part Number

Format

Location

Software Overview

Sun Fire High-End Systems Software Overview Guide

819-4658-10

PDF

Online

HTML

Installation

System Management Services (SMS) 1.6 Installation Guide

819-4659-10

PDF

Online

HTML

Reference (man pages)

System Management Services (SMS) 1.6 Reference Manual

819-4662-10

PDF

Online

HTML

Release Notes

System Management Services (SMS) 1.6 Release Notes

819-4663-10

PDF

Online

HTML

Dynamic

Sun Fire High-End and Midrange Systems Dynamic Reconfiguration User Guide

819-1501-10

PDF

Online

Reconfiguration

HTML

OpenBoot

OpenBoot4.x Command Reference Manual 816-1177-10

PDF

Online

 

HTML

Site Planning

Sun Fire 15K/12K System Site Planning Guide

806-3510-12

PDF

Online

 

HTML

Security

Solaris Security Toolkit 4.2 Administration Guide

819-1402-10

PDF

Online

 

HTML

Security

Solaris Security Toolkit 4.2 Reference Manual

819-1503-10

PDF

Online

 

HTML

Security

Solaris Security Toolkit 4.2 Release Notes

819-1504-10

PDF

Online

 

HTML

Security

Solaris Security Toolkit 4.2 Man Page Guide

819-1505-10

PDF

Online

 

HTML

Solaris 10 OS IP Services

System Administration Guide: IP Services

816-4554

PDF

Online

 

HTML

Documentatio n , Support , and Training Sun Function URL Documentation http://www.sun.com/documentation/

Sun Function

URL

Documentation

http://www.sun.com/documentation/

Support

http://www.sun.com/support/

Training

http://www.sun.com/training/

Training http://www.sun.com/training/ Third-Party Web Sites Sun is not responsible for the

Third-Party Web Sites

Sun is not responsible for the availability of third-party web sites mentioned in this document. Sun does not endorse and is not responsible or liable for any content, advertising, products, or other materials that are available on or through such sites or resources. Sun will not be responsible or liable for any actual or alleged damage or loss caused by or in connection with the use of or reliance on any such content, goods, or services that are available on or through such sites or resources.

that are available on or through such sites or resources. Sun Welcomes Your Comments Sun is

Sun Welcomes Your Comments

Sun is interested in improving its documentation and welcomes your comments and suggestions. You can submit your comments by going to:

http://www.sun.com/hwdocs/feedback

Please include the title and part number of your document with your feedback:

System Management Services (SMS) 1.6 Administrator Guide, part number 819-4660-10

CHAPTER

1

Introduction to System Management Services

This manual describes the System Management Services (SMS) 1.6 software that is available with the Sun Fire high-end server system.

This chapter includes the following sections:

“Sun Fire High-End Systems” on page 1

“SMS Features” on page 3

“System Architecture” on page 5

“SMS Administration Environment” on page 6

“Sun Management Center” on page 14

on page 6 ■ “Sun Management Center” on page 14 Sun Fire High-End Systems The system

Sun Fire High-End Systems

The system controller (SC) in Sun Fire high-end systems is a multifunction, CP1500- or CP2140-based printed circuit board (PCB) that provides critical services and resources required for the operation and control of the Sun Fire system.

A Sun Fire high-end system is often referred to as the platform. System boards within

the platform can be logically grouped together into separately bootable systems

called dynamic system domains, or simply domains.

Up to 18 domains can exist simultaneously on a single Sun Fire E25K/15K, and up

to 9 domains on the Sun Fire E20K/12K. (Domains are introduced in this chapter,

and are described in more detail in Chapter 5). The SMS software lets you control and monitor domains, as well as the platform itself.

The SC provides the following services for the Sun Fire system:

Manages the overall system configuration.

Acts as a boot initiator for system domains.

Serves as the syslog (system log) host for system domains. Note that an SC can still be a syslog client of a LAN-wide syslog host.

Provides a synchronized hardware clock source.

Sets up and configures dynamic domains.

Monitors system environmental information, such as power supply, fan, and temperature status.

Hosts field-replaceable unit (FRU) logging data.

Provides redundancy and automated SC failover in dual-SC configurations.

Provides a default name service for the domains based on virtual host IDs, and provides MAC addresses for the domains.

Provides administrative roles for platform management.

Redundant SCs

There are two SCs within a Sun Fire platform. The SC that controls the platform is referred to as the main SC, while the other SC acts as a backup and is called the spare SC. The software running on the main SC monitors both SCs to determine when an automatic failover should be performed.

Configure the two SCs with the same configuration. This duplication includes the Solaris Operating System (OS), SMS software, security modifications, patch installations, and all other system configurations.

Note – For failover to be supported, both SCs must be configured with identical versions of the Solaris OS and SMS software.

The failover functionality between the SCs is controlled by daemons running on the main and spare SCs. These daemons communicate across private communication paths built into the Sun Fire platform. Other than the communication between these daemons, there is no special trust relationship between the two SCs.

SMS software packages are installed on the SC. In addition, SMS communicates with the Sun Fire high-end system over an Ethernet connection. See “Management Network Services” on page 184.

Note – SMS 1.6 cannot communicate with SMS 1.4.1 across the I2 network. If one of the SCs is running SMS 1.4.1 and the other is running SMS 1.6, the I2 network tests will fail, and the SCs will communicate instead through high-availability SRAM (HASRAM) For information about the I2 network, see “I2 Network” on page 182.

SMS Features SMS 1.6 supports Sun Fire high-end domains running the Solaris 8 2/04, Solaris

SMS Features

SMS 1.6 supports Sun Fire high-end domains running the Solaris 8 2/04, Solaris 9 4/04, Solaris 10 3/05, Solaris 10 1/06, and Solaris 10 6/06 OSs. SMS 1.6 supports the Solaris 10 1/06, Solaris 10 6/06, Solaris 9 4/04, Solaris 9 9/04, and Solaris 9 9/05 OSs on the system controllers. The commands provided with the SMS software can be used remotely.

Note – The supported firmware version for SMS 1.6 is 5.2.0.

Note – Graphical user interfaces for many of the commands in SMS are provided by the Sun™ Management Center. For more information, see “Sun Management Center” on page 14.

SMS enables the platform administrator to perform the following tasks:

Administer domains by logically grouping domain configurable units (DCUs) together. DCUs are system boards such as CPU and I/O boards. Domains are able to run their own OSs and handle their own workloads. See Chapter 5.

Dynamically reconfigure a domain so that currently installed system boards can be logically attached to or detached from the OS while the domain continues running in multiuser mode. This feature is known as dynamic reconfiguration and is described in the System Management Services (SMS) 1.6 Dynamic Reconfiguration User Guide. (A system board can be physically swapped in and out when it is not attached to a domain, while the system continues running in multiuser mode).

Perform automatic dynamic reconfiguration of domains using a script. Refer to the System Management Services (SMS) 1.6 Dynamic Reconfiguration User Guide.

Monitor and display the temperatures, currents, and voltage levels of one or more system boards or domains.

Monitor and control power to the components within a platform.

Execute diagnostic programs such as power-on self-test (POST).

In addition, SMS:

Warns platform administrators of impending problems, such as high temperatures or malfunctioning power supplies.

Notifies platform administrators when a software error or failure has occurred.

Monitors a dual-SC configuration for single points of failure and performs an automatic failover from the main SC to the spare depending on the failure condition detected.

Automatically reboots a domain after a system software failure (such as a panic).

Keeps logs of interactions between the SC environment and the domains.

Provides support for the Sun Fire high-end system dual-grid power option.

SMS enables the domain administrator to perform the following tasks:

Administer domains by logically grouping domain configurable units (DCUs) together. DCUs are system boards such as CPU and I/O boards. Domains are able to run their own OSs and handle their own workloads. See Chapter 5.

Boot domains for which the administrator has privileges.

Dynamically reconfigure a domain for which the administrator has privileges, so that currently installed system boards can be logically attached to or detached from the OS while the domain continues running in multiuser mode. This feature is known as dynamic reconfiguration and is described in the System Management Services (SMS) 1.6 Dynamic Reconfiguration User Guide. (A system board can be physically swapped in and out when it is not attached to a domain, while the system continues running in multiuser mode.)

Perform automatic dynamic reconfiguration of domains using a script for which the administrator has privileges. Refer to the System Management Services (SMS) 1.6 Dynamic Reconfiguration User Guide.

Monitor and display the temperatures, currents, and voltage levels of one or more system boards or domains for which the administrator has privileges.

Execute diagnostic programs such as power-on self-test (POST) for which the administrator has privileges.

Features Provided in Previous Releases of SMS

Previous SMS releases provided the following:

Dynamic system domain (DSD) configuration

Configured domain services

Domain control capabilities

Automatic diagnosis and domain recovery

Capacity on Demand (COD)

Domain status reporting

Hardware control capabilities

Hardware status monitoring, reporting, and handling

Hardware error monitoring, reporting, and handling

System controller (SC) failover

Configurable administrative privileges

Dynamic FRUID

New Features Provided in SMS 1.6 Release

SMS 1.6 provides the following new features:

Support for Solaris 10 OS or higher on domains

Support for Solaris 10 1/06 and 6/06 OS on the system controllers

Support for UltraSPARC® IV 1.65-GHz processor

Readiness for UltraSPARC IV+ 1.8-GHz processor

Voltage core monitoring (VCMON)

2 GB DIMMs

Improved memory refresh rate

Secure by default for system controllers

Support for Solaris Security Toolkit 4.2

Support for Availability (AVL) 2.0 FS-2 software (Solaris 10 6/06 required)

UltraSPARC IV+ Processor Diagnosis Enhancements

Anchored Page Retire

Datapath Diagnosis Coordination (Domain FMA and SC)

Supported Platforms: UltraSPARC III Enterprise Server, Sun Fire V1280 and Netra 1280, and Sun Fire 15K families

VCMON

A voltage core monitoring parameter (VCMON) was added to the SMS software.

When VCMON is enabled, it monitors any voltage changes or drifts on the processors. If VCMON detects an upward change in voltage (which usually indicates a socket attach issue), it notifies the user with an FMA event and marks the component health status (CHS) of that processor as faulty.

component health status (CHS) of that processor as faulty. System Architecture SMS uses a distributed client-server

System Architecture

SMS uses a distributed client-server architecture. init(1M) starts, and restarts as necessary, one process: ssd(1M). ssd is responsible for monitoring all other SMS processes and restarting them as necessary. See FIGURE 4-1.

The Sun Fire high-end systems platform, the SC, and other workstations communicate over Ethernet. You perform SMS operations by entering commands on

the SC console after remotely logging in to the SC from another workstation on the local area network (LAN). You must log in as a user with the appropriate platform

or domain privileges if you want to perform SMS operations, such as monitoring and controlling the platform.

Note –

If SMS is stopped on the main SC and the spare SC is powered off, the

domains shut down gracefully and the platform is powered down. If the spare SC is simply powered off without a shutdown of SMS, SMS will not have time to power

off the platform and the domains will crash.

Dual-system controllers are supported within the Sun Fire high-end systems platform. One SC is designated as the primary or main system controller, and the other is designated as the spare system controller. If the main SC fails, the failover capability automatically switches to the spare SC as described in Chapter 12.

Most domain-configurable units are active components. This means that you must check the system state before powering off any DCU.

you must check the system state before powering off any DCU. Caution – Circuit breakers must

Caution – Circuit breakers must be on whenever a board is present, including expander boards, whether or not the board is powered on.

For details, see “Power Control” on page 173.

on. For details, see “Power Control” on page 173 . SMS Administration Environment Administration tasks on

SMS Administration Environment

Administration tasks on the Sun Fire high-end system are secured by group privilege requirements. SMS installs the following 39 UNIX groups to the /etc/group file.

platadmn – Platform administrator

platoper – Platform operator

platsvc – Platform service

– domain [domain-id|domain-tag] administrator (18)

dmn[A

R]admn

dmn[A

R]rcfg

– domain [domain-id|domain-tag] configurator (18)

The smsconfig(1M) command enables an administrator to add, remove, and list members of platform and domain groups, as well as set platform and domain directory privileges using the -a, -r, and -l options.

smsconfig also can configure SMS to use alternate group names, including NIS (Network Information Service) managed groups using the -g option. Group information entries can come from any of the sources for groups specified in the/etc/nsswitch.conf file (refer to nsswitch.conf(4)). For instance, if domain A was known by its domain tag as the Production Domain, an administrator could create an NIS group with the same name and configure SMS to use this group as the domain A administrator group instead of using the default, dmnaadmn. For more information, see Chapter 3, and refer to the smsconfig man page.

Network Connections for Administrators

The nature of the Sun Fire high-end systems physical architecture, with an embedded system controller, as well as the supported administrative model (with multiple administrative privileges, and thus multiple administrators) dictates that an administrator use a remote network connection from a workstation to access SMS command interfaces to manage the Sun Fire high-end system.

command interfaces to manage the Sun Fire high-end system. Caution – Shutting down a remote workstation

Caution – Shutting down a remote workstation while a tip session is active into a Sun Fire high-end system SC will bring both SCs down to the OpenBoot™ ok prompt. This will not affect the domains, and after powering the remote system back on you can restore the SCs by typing go at the ok prompt. However, you should end all tip sessions before shutting down a remote workstation.

Since the administrators provide information to verify their identity (passwords) and might need to display sensitive data, it is important that the remote network connection be secure. Physical separation of the administrative networks provides some security on the Sun Fire high-end system. Multiple external physical network connections are available on each SC. SMS software supports up to two external network communities.

For more information on Sun Fire high-end system networks, see “Management Network Services” on page 184. For more information on securing the Sun Fire high- end system, see Chapter 2, “Using Solaris Security Toolkit to Secure the System Controller” on page 29.

SMS Operating System

SMS provides a command-line interface (CLI) to the various functions and features the program contains. You can interact with the SC and the domains on a system by using the CLI commands.

For the examples in this guide, the sc-name is sc0 and sms-user is the user-name of the administrator, operator, configurator, or service personnel logged in to the system.

The privileges allotted to the user are determined by the platform or domain groups to which the user belongs. In these examples, the sms-user is assumed to have both platform and domain administrator privileges, unless otherwise noted.

For more information on the function and creation of SMS user groups, see Chapter 3 and refer to the System Management Services (SMS) 1.6 Installation Guide.

To Begin Using the SC

1. Boot the SC.

Note – This procedure assumes that smsconfig -m has already been run. If smsconfig -m has not been run, you will receive the following error when SMS attempts to start and SMS will exit.

sms: smsconfig(1M) has not been run. Unable to start sms services.

2. Log in to the SC and verify that SMS software startup has completed. Type:

sc0:sms-user:> showplatform

Output similar to the following is displayed if you have platform privileges.

sc0:sms-user:> showplatform

PLATFORM:

======== Platform Type: Sun Fire 15000

CSN:

==== Chassis Serial Number: 353A00053

COD:

==== Chassis HostID : 5014936C37048 PROC RTUs installed : 8 PROC Headroom Quantity : 0 PROC RTUs reserved for domain A : 4 PROC RTUs reserved for domain B : 0 PROC RTUs reserved for domain C : 0 PROC RTUs reserved for domain D : 0 PROC RTUs reserved for domain E : 0 PROC RTUs reserved for domain F : 0 PROC RTUs reserved for domain G : 0 PROC RTUs reserved for domain H : 0 PROC RTUs reserved for domain I : 0 PROC RTUs reserved for domain J : 0 PROC RTUs reserved for domain K : 0 PROC RTUs reserved for domain L : 0 PROC RTUs reserved for domain M : 0 PROC RTUs reserved for domain N : 0 PROC RTUs reserved for domain O : 0 PROC RTUs reserved for domain P : 0 PROC RTUs reserved for domain Q : 0 PROC RTUs reserved for domain R : 0

Available Component List for Domains:

===================================== Available for domain newA:

SB0 SB1 SB2 SB7 IO1 IO3 IO6 Available for domain engB:

No System boards No IO boards Available for domain domainC:

No System boards IO0 IO1 IO2 IO3 IO4 Available for domain eng1:

No System boards No IO boards Available for domain E:

No System boards

No IO boards Available for domain domainF:

No System boards No IO boards Available for domain dmnG:

No System boards No IO boards Available for domain domain H:

No System boards No IO boards Available for domain I:

No System boards No IO boards Available for domain dmnJ:

No System boards No IO boards Available for domain K:

No System boards No IO boards Available for domain L:

No System boards No IO boards Available for domain M:

No System boards No IO boards Available for domain N:

No System boards No IO boards Available for domain O:

No System boards No IO boards Available for domain P:

No System boards No IO boards Available for domain Q:

No System boards No IO boards Available for domain dmnR:

No System boards No IO boards

Domain Ethernet Addresses:

=============================

Domain ID

Domain Tag

Ethernet Address

A

newA

8:0:20:b8:79:e4

B

engB

8:0:20:b4:30:8c

C

domainC

8:0:20:b7:30:b0

D

-

8:0:20:b8:2d:b0

E

eng1

8:0:20:f1:b7:0

F

domainF

8:0:20:be:f8:a4

G

dmnG

8:0:20:b8:29:c8

H

-

8:0:20:f3:5f:14

I

-

8:0:20:be:f5:d0

J

dmnJ

UNKNOWN

K

-

8:0:20:f1:ae:88

L

-

8:0:20:b7:5d:30

M

-

8:0:20:f1:b8:8

N

-

8:0:20:f3:5f:74

O

-

8:0:20:f1:b8:8

P -

8:0:20:b8:58:64

Q -

8:0:20:f1:b7:ec

R dmnR

8:0:20:f1:b7:10

Domain Configurations:

======================

DomainID Domain Tag

Solaris Nodename

Domain Status

A newA

-

Powered Off

B engB

sun15-b

Keyswitch Standby

C domainC

sun15-c

Running OBP

D -

sun15-d

Running Solaris

E eng1

sun15-e

Running Solaris

F domainF

sun15-f

Running Solaris

G dmnG

sun15-g

Running Solaris

H -

sun15-g

Solaris Quiesced

I -

-

Powered Off

J dmnJ

-

Powered Off

K -

sun15-k

Booting Solaris

L -

-

Powered Off

M -

-

Powered Off

N -

sun15-n

Keyswitch Standby

O -

-

Powered Off

P -

sun15-p

Running Solaris

Q -

sun15-q

Running Solaris

R dnmR

sun15-r

Running Solaris

At this point, you can begin using SMS programs.

SMS Console Window

An SMS console window provides a command-line interface from the SC to the Solaris OS on the domains.

To Display a Console Window Locally

1. Log in to the SC, if you have not already done so.

Note – You must have domain privileges for the domain on which you want to run console.

2. Type:

sc0:sms-user:> console -d domain-indicator option

where:

-d

Specifies the domain using a domain-indicator:

domain-id – ID for a domain. Valid domain-ids are 'A' insensitive.

'R'

and are case

domain-tag – Name assigned to a domain using addtag(1M).

-f

Force Opens a domain console window with locked write permission, terminates all other open sessions, and prevents new ones from being opened. This constitutes an exclusive session. Use it only when you need exclusive use of the console (for example, for private debugging). To restore multiple- session mode, either release the lock (~^) or terminate the console session (~.).

-g

Grab Opens a console window with unlocked write permission. If another session has unlocked write permission, the new console window takes it away. If another session has locked permission, this request is denied and a read-only session is started.

-l

Lock Opens a console window with locked write permission. If another session has unlocked write permission, the new console window takes it away. If another session has locked permission, the request is denied and a read- only session is started.

-r

Read Only Opens a console window in read-only mode.

The console command creates a remote connection to the domain’s virtual console driver, making the window in which the command is executed a console window for the specified domain (domain-id or domain-tag).

If console is invoked without any options when no other console windows are running for that domain, it comes up in an exclusive locked write mode session.

If console is invoked without any options when one or more nonexclusive console windows are running for that domain, it will appear in read-only mode.

Locked write permission is more secure. It can only be removed if another console is

or if ~* (tilde-asterisk) is entered from another running

console window. In both cases, the new console session is an exclusive session, and

opened using console -f

all other sessions are forcibly detached from the domain virtual console.

The console command can use either Input Output Static Random Access Memory (IOSRAM) or the internal management network for domain console communication. You can manually toggle the communication path by using the ~= (tilde-equal sign) command. Doing so is useful if the network becomes inoperable, in which case the console session appears to be hung.

Many console sessions can be attached simultaneously to a domain, but only one console will have write permissions; all others will have read-only permissions. Write permissions are in either locked or unlocked mode.

Tilde Escape Sequences

In a domain console window, a tilde ( ~ ) that appears as the first character of a line is interpreted as an escape signal that directs console to perform some special action, as shown in the following table:

TABLE 1-1

Tilde Usage

Character

Description

~?

Status message.

~.

Disconnects console session.

~#

Breaks to OpenBoot PROM or kadb.

~@

Acquires unlocked write permission. See option -g.

~^

Releases write permission.

~=

Toggles the communication path between the network and IOSRAM interfaces. You can use ~= only in private mode (see ~* ).

~&

Acquires locked write permission; see option -l . You can issue this signal during a read-only or unlocked write session.

~*

Acquires locked write permission, terminates all other open sessions, and prevents new sessions from being opened; see option -f . To restore multiple-session mode, either release the lock or terminate this session.

The rlogin command also processes tilde-escape sequences whenever a tilde is seen at the beginning of a new line. If you must send a tilde sequence at the beginning of a line and you are connected using rlogin, use two tildes (the first escapes the second for rlogin). Alternatively, do not enter a tilde at the beginning of a line when running inside of an rlogin window.

If you use a kill -9 command to terminate a console session, the window or terminal in which the console command was executed goes into raw mode, and appears hung. Press CTRL-J, then type stty sane, then press CTRL-J to escape this condition.

In the domain console window, vi(1) runs properly and the escape sequences (tilde commands) work as intended only if the environment variable TERM has the same setting as that of the console window.

For example:

sc0:sms-user:> setenv TERM xterm

To resize the window, type:

sc0:sms-user:> stty rows 20 cols 80

For more information on the domain console, see Chapter 9 and refer to the console man page.

Remote Console Session

In the event that a system controller hangs and that console cannot be reached directly, SMS provides the smsconnectsc command to remotely connect to the hung SC. This command works from either the main or spare SC. For more information and examples, refer to the smsconnectsc man page.

You may also connect to the hung SC using an external console connection, but you cannot run smsconnectsc and use an external console at the same time.

smsconnectsc and use an external console at the same time. Sun Management Center Sun Management Center

Sun Management Center

Sun Management Center for Sun Fire high-end systems is an extensible monitoring and management tool that integrates standard Simple Network Management Protocol (SNMP)-based management structures with new intelligent and autonomous agent and management technology based on the client-server paradigm.

Sun Management Center is used as the graphical user interface (GUI) and SNMP manager-agent infrastructure for the Sun Fire system. The features and functions of Sun Management Center are not covered in this manual. For more information, refer to the latest Sun Management Center documentation available at:

www.docs.sun.com

CHAPTER

2

SMS 1.6 Security

This chapter provides an overview of security as it pertains to SMS 1.6 and the Sun Fire high-end (E20K/12K and E25K/15K) systems. Security options consist of securing the domains (optional suggestion) and system controllers (strongly suggested) of a given system, as well as overall system hardening. Hardening is the modification of Solaris OS configurations to improve the security of a system.

These suggestions apply to environments where security is a concern, particularly environments where the uptime requirements of the system controllers or the information on the Sun Fire server is critical to the organization.

The system controllers control the hardware components that make up a Sun Fire high-end system. Because they are a central control point for the entire frame, the SCs represent an attack point for intruders. To improve reliability, availability, serviceability, and security (RASS), the system controllers must be secured against malicious misuse and attack. Overviews of domain and system controller security issues follow.

This chapter contains the following sections:

“Domain Security Overview” on page 18

“System Controller Security Overview” on page 18

“What Has Changed in SMS 1.6” on page 24

“Initial or Fresh SMS Installation Using smsinstall Command (Secure by Default)” on page 27

“SMS Upgrade Installation Using smsupgrade Command (Secure by Choice)” on page 28

Domain Security Overview The Sun Fire high-end system platform hardware can be partitioned into one

Domain Security Overview

The Sun Fire high-end system platform hardware can be partitioned into one or more environments capable of running separate images of the Solaris OS. These environments are called dynamic system domains (DSDs) or domains.

A domain is logically equivalent to a physically separate server. The Sun Fire high-

end system hardware enforces strict separation of the domain environments. This means that, except for errors in hardware shared by multiple domains, no hardware error in one domain affects another. For domains to act like separate servers, Sun Fire software was designed and implemented to enforce strict domain separation.

SMS provides services to all domains. In providing those services, no data obtained from one client domain is leaked into data observable by another. This is particularly true for sensitive data such as buffers of console characters (including administrator passwords) or potentially sensitive data such as I/O buffers containing client domain-owned data.

SMS limits administrator privilege. This enables you to control the extent of damage that can occur due to administrator error, as well as to limit the exposure to damage caused by an external attack on a system password. See Chapter 3.

by an external attack on a system password. See Chapter 3 . System Controller Security Overview

System Controller Security Overview

Securing the system controllers is the first priority in configuring Sun Fire high-end systems to be resistant to unauthorized access and to function properly in hostile environments. Before securing the system controllers, it is important to understand the services and daemons that are running on the system. This section describes the software, services, and daemons specific to the system controllers. The functionality

is described at a high level, with references to other Sun documentation for more

detailed information. This section provides administrators with a baseline of functionality required for the system controllers to perform properly.

The system controllers (SCs) are multifunction system boards within the Sun Fire frame. These SCs are dedicated to running the SMS software. The SMS software is used to configure dynamic domains, provide console access to each domain, control whether a domain is powered on or off, and provide other functions critical to operating and monitoring Sun Fire high-end systems.

The following list is an overview of the many services the system controllers provide for the Sun Fire high-end systems:

Manages the overall system configuration.

Acts as a boot initiator for its domains.

Serves as the syslog host for its domains; note that an SC can still be a syslog client of a LAN-wide syslog host.

Provides a synchronized hardware clock source.

Sets up and configures dynamic domains.

Monitors system environmental information, such as power supply, fan, and temperature status.

Hosts field-replaceable unit (FRU) logging data.

Provides redundancy and automated SC failover.

Provides a default name service for the domains based on virtual host IDs, and MAC addresses for the domains.

Provides administrative roles for frame management.

Redundant System Controllers

Sun Fire frames have two system controllers. Our security suggestions are the same for both system controllers. The SC that controls the platform is referred to as the main SC, while the other SC acts as a backup and is called the spare SC. The software running on the SC monitors the system controllers to determine when to perform an automatic failover.

Note – For our sample configuration, the main SC is sc0 and the spare SC is sc1.

We suggest that the two system controllers have the same configuration. This duplication includes the Solaris OS, security modifications, patch installations, and all other system configurations, as well as the same version of SMS software.

The failover functionality between the system controllers is controlled by daemons running on the main and spare system controllers. These daemons communicate across private communication paths built into the Sun Fire frames. Other than the communication between these daemons, there is no special trust relationship between the two system controllers.

SC Network Interfaces

Several network interfaces are used on an SC to communicate with the platform, domains, and other system controllers. Most of these interfaces are defined as regular Ethernet network connections through /etc/hostname.* entries.

Main SC Network Interfaces

A typical main SC (sc0 in our sample) has two files in the /etc directory with

contents similar to the following:

# more /etc/hostname.scman0

192.168.103.1 netmask + broadcast + private up

# more /etc/hostname.scman1

192.168.103.33 netmask + private up

In addition, a typical main SC has corresponding entries in /etc/netmasks:

10.1.72.0 255.255.248.0

192.168.103.0

255.255.255.224

192.168.103.32

255.255.255.252

Note – Non-routed (RFC 1918) internet protocol (IP) addresses are used in all SC examples. We suggest that you use these types of IP addresses when deploying Sun Fire system controllers. The SMS software defines internal SC network connections

to be private and not advertised.

Domain-to-SC Communication (scman0) Interface

The /etc/hostname.scman0 entry sets up the I1 or domain-to-SC SMS Management Network (MAN). The first IP address in our example, 192.168.103.1, is controlled by the SMS software to be always available only on the main SC.

From a security perspective, misuse of or attacks on the I1 MAN network between the domains and the system controllers might adversely impact domain separation. The hardware implementation of the I1 network within a Sun Fire high-end chassis addresses these concerns by permitting only SC-to-domain and domain-to-SC communication. The I1 MAN network is implemented as separate point-to-point physical network connections between the system controllers and each of the 9 domains supported by a Sun Fire E20K/12K server or 18 domains supported by a Sun Fire E25K/15K server. Each of these connections terminates at separate I/O boards on each domain and SC.

On the system controllers, these multiple separate networks are consolidated into one meta-interface to simplify administration and management. The I1 MAN driver software performs this consolidation and enforces domain separation and failovers

to redundant communication paths.

Direct communication between domains over the I1 network is not permitted by the hardware implementation of the I1 network. By implementing the network in this manner, each SC-to-domain network connection is physically isolated from other connections.

Note – Although the scman0 network supports regular IP-based network traffic, it should be used only by Sun Fire management traffic. Any other use of this internal network might affect the reliability, availability, serviceability, and security of the entire platform. Refer to the scman (7D) and dman (7D) man pages for more information.

SC-to-SC Communication (scman1) Interface

The /etc/hostname.scman1 entry is used to configure the I2 or SC-to-SC MAN. This network connection, on which both system controllers have an IP address, is for the heartbeat connections between the two system controllers.

Both of the I1 and I2 MAN network connections are implemented internally in the Sun Fire high-end chassis. No external wiring is used.

Spare SC Network Interfaces

The spare SC has the same physical network interfaces as the main SC. The scman0 network interface is plumbed by the Solaris OS through the /etc/hostname.scman0 file on the spare SC in the same manner and with the same information as on the main SC. The difference between the main and spare system controllers is that the interface is inactive on the spare. The spare system controller’s scman0 port on the I/O hubs is disabled and mand does not provide path information to scman0 on the spare.

The scman1 interface, which is for SC-to-SC communication, has the following configuration information for this interface:

# more /etc/hostname.scman1 192.168.103.34 netmask + broadcast + private up

In addition, the spare SC has the following corresponding /etc/netmasks information:

10.1.72.0 255.255.248.0

192.168.103.0

255.255.255.224

192.168.103.32

255.255.255.252

Main and Spare Network Interface Sample Configurations

Use the following command to verify the status of the main SC:

# showfailover -r MAIN

Our network configuration sample appears as follows on the main SC (sc0):

# ifconfig -a

lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000

hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 10.1.72.80 netmask fffff800 broadcast 10.1.79.255 ether 8:0:20:a8:db:2e

scman0:flags=

1008843<UP,BROADCAST,RUNNING,MULTICAST,PRIVATE,IPv4> mtu 1500 index 3 inet 192.168.103.1 netmask ffffffe0 broadcast

192.168.103.31

ether 8:0:20:a8:db:2e

scman1:flags=

1008843<UP,BROADCAST,RUNNING,MULTICAST,PRIVATE,IPv4> mtu 1500 index 4 inet 192.168.103.33 netmask fffffffc broadcast

192.168.103.35 ether 8:0:20:a8:db:2e

Note – Although the scman0 network supports regular IP-based network traffic, it should be used only by Sun Fire management traffic. Any other use of this internal network might affect the reliability, availability, and serviceability, and security of the entire platform. Refer to the scman (7D) and dman (7D) man pages for more information.

Our sample network configuration appears as follows on the spare SC (sc1):

# ifconfig -a lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1

inet 127.0.0.1 netmask ff000000

hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 10.1.72.81 netmask ffffff00 broadcast 10.1.72.255 ether

8:0:20:a8:ba:c7

scman0:flags=

1008843<UP,BROADCAST,RUNNING,MULTICAST,PRIVATE,IPv4> mtu 1500 index 3 inet 192.168.103.1 netmask ffffffe0 broadcast 192.168.103.31 ether 8:0:20:a8:ba:c7

scman1: flags= 1008843<UP,BROADCAST,RUNNING,MULTICAST,PRIVATE,IPv4> mtu 1500 index 4 inet 192.168.103.34 netmask fffffffc broadcast 192.168.103.35 ether 8:0:20:a8:ba:c7

What Has Changed in SMS 1.6 Solaris Security Toolkit 4.2 software works with either Solaris

What Has Changed in SMS 1.6

Solaris Security Toolkit 4.2 software works with either Solaris 9 OS or Solaris 10 OS, and provides an automated, extensible, and scalable mechanism to build and maintain secure Solaris OS systems. Using the Solaris Security Toolkit software, you can harden and audit the security of systems.

Security options for a system using SMS 1.6 depends on whether the software is to be installed fresh or as an upgrade.

Secure By Default (Fresh Installation)

If the SMS version is a fresh installation, the smsinstall command is used and

then automatic hardening is accomplished as a function of the installation (secure by default). That is, the system is hardened as the system controllers are made secure.

In this instance the domains can also be made secure manually with Solaris Security

Toolkit (SST) 4.2.0 software, which is downloaded as a function of the installation. If you are going to install SMS 1.6 fresh, proceed to “Initial or Fresh SMS Installation Using smsinstall Command (Secure by Default)” on page 27.

Note – The minimum supported version of SST on Solaris 10 OS is 4.2.0. The minimum supported version of SST on Solaris 8 and 9 OS is 4.1.1.

Secure By Choice (Upgrade)

If the installation is an upgrade, automatic system hardening does not occur. In this

instance, the smsupgrade command is used, Solaris Security Toolkit software is installed as a function of the upgrade and can then be used to harden, undo hardening, and audit the security posture of a system (secure by choice). This includes the system controllers as well as domains. For an upgrade to SMS 1.6, as well as post-SMS hardening procedures proceed to “SMS Upgrade Installation Using smsupgrade Command (Secure by Choice)” on page 28.

Installation Changes

A list of major changes that have occurred for installing SMS 1.6, regardless of which

installation method is used, follows:

SMS automatically checks for the presence of Solaris Security Toolkit Version 4.2. If an earlier version is present, the installation process is temporarily halted and the user is prompted to remove the incompatible version before continuing. Once the incompatible version is removed, the installation process is restarted and Solaris Security Toolkit version 4.2 is automatically installed.

FixModes and MD5 software are now automatically installed as a function of installing SMS 1.6.

Due to improved filtering, do not disable ARP traffic on the I1 MAN network.

Assumptions and Limitations

The suggestions herein are based on several assumptions and limitations as to what can be done to secure Sun Fire system controllers, resulting in a supported configuration.

Note – The suggestions in this document are for System Management Services (SMS) 1.6 software, and differences between SMS 1.6 and previous releases are not discussed. It is suggested that all customers upgrade their software to SMS 1.6 when possible.

Solaris OS hardening can be interpreted in many ways. For purposes of developing a hardened SC configuration, we address hardening all possible Solaris OS options. That is, anything that can be hardened is hardened. When there are good reasons for leaving services and daemons as they are, we do not harden or modify them.

Note – Hardening Solaris OS configurations to the level described in this article might not be appropriate for your environment. For some environments, you might want to perform fewer hardening operations than suggested here. The configuration remains supported in these cases; however, additional hardening beyond what is suggested in this document is not supported.

You can customize a copy of the Sun Fire high-end servers SC module of the Solaris Security Toolkit to disable certain hardening scripts. It is strongly suggested that any modifications to the default modules be made in copies of those files, which will simplify upgrades to newer Solaris Security Toolkit versions.

Note – Standard security rules apply to the hardening of system controllers: That which is not specifically permitted is denied.

Additional software that you can install on the system controllers, such as Sun Remote Services Event Monitoring, Sun Remote Services Net Connect, and Sun Management Center software has been omitted from this document. We suggest that you carefully consider the security implications implicit with the installation of these types of software.

Obtaining Support

The SC configuration for Sun Fire high-end systems implemented by the Solaris Security Toolkit software (sunfire_15k_sc-secure.driver) is a Sun supported configuration. A hardened SC is supported only if the security modifications are performed using the Solaris Security Toolkit.

are performed using the Solaris Security Toolkit. Initial or Fresh SMS Installation Using smsinstall Command

Initial or Fresh SMS Installation Using smsinstall Command (Secure by Default)

In this instance, the smsinstall command is used to install SMS 1.6 software. Automatic secure by default will occur wherein the system controllers of a system are automatically hardened and made secure as a function of the installation process.

The Sun Fire 15K and 12K SC module sunfire_15k_sc-secure.driver performs hardening tasks. This Solaris Security Toolkit driver is implemented by default and disables all those services which can be disabled without adversely affecting SMS. A user can enable as many services as required, but cannot disable more services than were disabled by the SMS installation software.

Customizing the Solaris Security Toolkit

You might determine that your system requires some of the services and daemons disabled by the Solaris Security Toolkit. To customize the Solaris Security Toolkit software to meet your particular requirements, see “Customizing the Solaris Security Toolkit Driver” on page 30.

Optionally Securing Domains

An option also exists to further harden a system by securing the system domains as indicated in the following Sun BluePrints™ Online articles available at:

http://www.sun.com/security/blueprints

Securing the Sun Fire high-end Domains

Solaris Operating System Security – Updated for Solaris 8 (2/04) Operating System

Solaris Operating System Security – Updated for Solaris 9 (4/04) Operating System

SMS Upgrade Installation Using smsupgrade Command (Secure by Choice) In this instance, the smsupgrade command

SMS Upgrade Installation Using smsupgrade Command (Secure by Choice)

In this instance, the smsupgrade command is used to install SMS 1.6 software. Automatic hardening by default is not accomplished. However, Solaris Security Toolkit software is installed as a function of the upgrade and can be used to manually harden, undo hardening and audit the security posture of a system

The following security options are available:

Strongly suggested:

Use Solaris Security Toolkit to secure the system controllers.

Optional:

Secure domains.

Disable all IP traffic between the SC and a domain by excluding that domain from the SC’s MAN driver.

Optionally Securing Domains

For systems where domain separation is critical, we suggest disabling IP connectivity between the SC and specific domains that require separation.

To implement securing the system controllers, refer to “Using Solaris Security Toolkit to Secure the System Controller” on page 29. To implement the optional securing of domains refer to the following Sun BluePrints Online articles available at:

http://www.sun.com/security/blueprints

Securing the Sun Fire high-end Domains

Solaris Operating System Security – Updated for Solaris 8 (2/04) Operating System

Solaris Operating System Security – Updated for Solaris 9 (4/04) Operating System

Using Solaris Security Toolkit to Secure the System Controller

To effectively secure system controllers, changes are required to both the Solaris OS software running on the system controllers and the configuration of the Sun Fire high-end platform. Customized modules added to Solaris Security Toolkit software simplify the Solaris OS installation and deployment of these suggestions. These modules automate the implementation of the security suggestions.

Solaris Security Toolkit software is always being updated. Solaris Security Toolkit version 4.2 is downloaded as a function of the smsupgrade command. However, to ensure you have the latest version of Solaris Security Toolkit when you are installing SMS, see the following web site:

http://www.sun.com/security/jass

If you download a later version, install it to the Bundled_Products directory of the SMS zip file, replacing the old package with the same name. You must decompress the Solaris Security Toolkit packages after downloading them.

Note – For instructions on installing the Solaris Security Toolkit packages manually, refer to the Solaris Security Toolkit Installation Guide.

Note – Disable failover before hardening either of the system controllers. Re-enable failover only after both system controllers are hardened and tested.

Note – Configuration modifications for performance enhancements and software configuration are not addressed by the Solaris Security Toolkit.